Anti-DDoS Pro and Anti-DDoS Premium are proxy-based mitigation services provided by Alibaba Cloud to mitigate distributed denial of service (DDoS) attacks. These proxy-based mitigation services can be used to protect network servers against volumetric DDoS attacks. To protect servers against volumetric and resource exhaustion DDoS attacks, Anti-DDoS Pro and Anti-DDoS Premium forward traffic to the Alibaba Cloud anti-DDoS network by using DNS resolution.

Anti-DDoS Pro and Anti-DDoS Premium

Alibaba Cloud provides the following two services based on the region where your servers are deployed:
  • Anti-DDoS Pro: applies to scenarios where your servers are deployed inside mainland China. It uses eight Border Gateway Protocol (BGP) lines at the Tbit/s level to protect servers against volumetric DDoS attacks.
  • Anti-DDoS Premium: applies to scenarios where your servers are deployed Outside mainland China. Backed by the world-leading distributed near-origin traffic scrubbing capabilities, Anti-DDoS Premium mitigates unlimited DDoS attacks.

For more information, see Differences between Sec-Traffic Manager provided by Anti-DDoS Pro and that provided by Anti-DDoS Premium.

How Anti-DDoS Pro and Anti-DDoS Premium work

You can connect your services to Anti-DDoS Pro or Anti-DDoS Premium by using domain names or ports. The domain names or the service IP addresses are mapped to the IP addresses or CNAME addresses of Anti-DDoS Pro or Anti-DDoS Premium instances based on forwarding rules that you configured. This way, traffic is redirected to the instances.

Inbound traffic passes through the anti-DDoS data center. Malicious network traffic is scrubbed and filtered in the traffic scrubbing center and non-malicious network traffic is forwarded back to the origin server by using forwarding ports. This ensures stable access to the origin servers.

Benefits

Anti-DDoS Pro and Anti-DDoS Premium are more stable and easier to deploy than traditional DDoS mitigation solutions. The two services rely on high-quality BGP networks and intelligent protection technologies to provide strong and precise protection with high availability.

  • Easy deployment

    You can connect your services to Anti-DDoS Pro or Anti-DDoS Premium by using domain names or ports. The process can take up to five minutes. You do not have to install any hardware, software, or configure routers.

  • Massive protection bandwidth

    Anti-DDoS Pro and Anti-DDoS Premium each can mitigate at least 8 Tbit/s DDoS attack in mainland China, and 2 Tbit/s outside mainland China. The two services can protect servers against attacks at the network layer, transport layer, and application layer.

  • Precise protection

    Anti-DDoS Pro and Anti-DDoS Premium can provide precise protection against various attacks on transactions, encryption, Layer 7 applications, smart terminals, and online businesses.

  • Intelligent protection

    Anti-DDoS Pro and Anti-DDoS Premium automatically optimize protection algorithms and learn service traffic baselines from the protection analysis of volumetric and resource exhaustion DDoS attacks. This enables the services to identify malicious IP addresses, and scrub and filter attack traffic.

  • Burstable protection

    Anti-DDoS Pro and Anti-DDoS Premium support burstable protection. You can configure this function in the console. The setting takes effect in seconds, and you do not need to install any additional devices. Your services will not be interrupted during the process. Therefore, you do not need to make any adjusts to your business.

  • Origin server security ensured

    Anti-DDoS Pro and Anti-DDoS Premium use instances to hide the IP addresses of origin servers. This way, attackers cannot find the address of your origin server. This allows you to increase the security of the origin servers.

  • Protection against volumetric DDoS attacks

    Volumetric DDoS attacks at the transport layer congest networks, leave data centers unavailable, and interrupt or paralyze your services. Based technologies such as proxy, detection, rebound, authentication, blacklist and whitelist, and packet compliance, Anti-DDoS Pro and Anti-DDoS Premium employ IP reputation investigation, near-origin traffic scrubbing, and in-depth packet analysis of network fingerprints, user behavior, and content characteristics. These technologies block and filter threats based on user-defined rules, which ensures that the protected services provide external services even under sustained attacks.

  • Protection against resource exhaustion DDoS attacks (HTTP flood attacks)
    Anti-DDoS Pro and Anti-DDoS Premium integrate intelligent protection engines to protect against resource exhaustion DDoS attacks when application-layer services are interrupted under attacks. The two services also support URL-level threat filtering at a custom frequency to improve protection efficiency, protection success rate, and work efficiency of O&M personnel. Intelligent protection engines provide effective protection by:
    • Learning your traffic to obtain traffic characteristics.
    • Dynamically generating normal service baselines.
    • Quickly discovering exceptions of traffic and characteristics.
    • Participating the attack characteristics analysis.
    • Automatically generating a combination of multi-dimensional policies.
    • Dynamically executing or canceling protection policy instructions.
  • Stability and high availability
    • Anti-DDoS Pro and Anti-DDoS Premium use high-availability network protection clusters to prevent single-point failure and redundancy. The processing capabilities of Anti-DDoS Pro and Anti-DDoS Premium can be scaled up. They also offer completely automated detection and attack policy matching to provide real-time protection, with scrubbing service availability of up to 99.99%.
    • Anti-DDoS Pro and Anti-DDoS Premium monitor the inbound traffic forwarded to the traffic scrubbing center, CPU and memory resources of all servers. This way, you can ensure the availability of the data center. They also monitor the availability of server engines and has an automatic offline recovery mechanism.
    • Anti-DDoS Pro and Anti-DDoS Premium monitor the availability of back-to-origin links and automatically switch to secondary links when primary links are unstable, which ensures link availability.
    • Anti-DDoS Pro and Anti-DDoS Premium perform health checks on protected origin servers. If an origin server is not running an optimal capacity, the service traffic is redirected to another origin server. They also monitor the HTTP status codes of origin servers and initiate back-to-origin or switchover operations when errors are detected.
  • Traffic rerouting

    Anti-DDoS Pro and Anti-DDoS Premium forward traffic based on cloud service-specific security events and DNS resolution. DDoS protection is disabled for secure cloud services and DDoS protection is enabled for vulnerable cloud services by connecting the cloud services to themselves. You can customize forwarding templates for Anti-DDoS Pro and Anti-DDoS Premium to automatically schedule DDoS protection based on the security status of cloud services. The templates contain Cloud Service Interaction, Tiered Protection, and Network Acceleration.

Scenarios

Anti-DDoS Pro and Anti-DDoS Premium are suitable for finance websites, e-commerce websites, portal websites, Internet egresses of government departments, portals, and open platforms. They provide DDoS protection for important live streaming and sales promotions. Anti-DDoS Pro and Anti-DDoS Premium protect against malicious attacks and blackmailing by competitors, and prevent mobile apps from malicious registration, empty box scams, and fraud traffic.

We recommend that you use Anti-DDoS Pro and Anti-DDoS Premium to mitigate the following security risks in the preceding industries and scenarios:
  • Ransom-driven DDoS attacks occur.
  • DDoS attacks have frozen your services and urgent protection is required to recover your services.
  • DDoS attacks occur frequently. Therefore, continuous protection is required against DDoS attacks to ensure service stability.

Differences between Sec-Traffic Manager provided by Anti-DDoS Pro and that provided by Anti-DDoS Premium

The following table lists the features that are supported by Anti-DDoS Pro and Anti-DDoS Premium. The features that are not listed in the table are supported by both Anti-DDoS Pro and Anti-DDoS Premium.

Notice The table allows you to distinguish between Anti-DDoS Pro and Anti-DDoS Premium. We recommend that you choose Anti-DDoS Pro for workloads deployed in mainland China and Anti-DDoS Premium for workloads deployed outside mainland China.

√: Supported, ×: Not supported

GUI element Description Anti-DDoS Pro Anti-DDoS Premium References
Instance Management >

Mainland China Acceleration (MCA)

MCA must be used with Anti-DDoS Premium Insurance or Unlimited Plan. If your servers are deployed outside mainland China, you can purchase an MCA instance to accelerate your services for users in mainland China. × Mainland China Acceleration billing methods

Configure Anti-DDoS Premium MCA

Instance Management >

Global Advanced Mitigation

Global advanced mitigation must be used with Anti-DDoS Premium Insurance that provides two advanced mitigation sessions. If the two advanced mitigation sessions are exhausted, you can purchase global advanced mitigation sessions. × Billing methods for global advanced mitigation

Purchase global advanced mitigation

Website Config >

Enable HTTP/2

On the Enter Site Information wizard page, you can add a domain name and turn on the Enable HTTP/2 switch. × Add a website
Website Config >

Cname Reuse

On the Enter Site Information wizard page, you can turn on the Cname Reuse switch. × CNAME reuse
Sec-Traffic Manager >

Network Acceleration

You can configure Network Acceleration from the General tab in the Anti-DDoS Premium console. × Configure Sec-Traffic Manager
Protection for Infrastructure >

Diversion from Origin Server

The diversion from origin server policy blocks network traffic transmitted from regions outside mainland China through China Telecom or China Unicom lines. × Configure diversion from the origin server
Protection for Infrastructure >

Deactivate Blackhole Status

You can manually deactivate the black hole status in the Anti-DDoS Pro console to recover services. × Deactivate a black hole
Investigation >

Operation Logs

You can view records of the last 30 days on the Operation Logs page in the Anti-DDoS Pro console. × Operation logs
Investigation >

Adv. Mitigation Logs

You can view records of the last 30 days on the Advanced Mitigation Logs page in the Anti-DDoS Premium console. × Query advanced mitigation logs

DDoS cost protection

Anti-DDoS Pro and Anti-DDoS Premium support DDoS cost protection. The services safeguard against cost incurred due to usage spikes on the protected Elastic Compute Service (ECS) instances or Server Load Balancer (SLB) instances caused by a DDoS attack. If any protected resources incur costs due to DDoS attacks, you can submit a ticket to obtain a voucher.